When users forget one of their passwords, they report to IT administration, or they can reset it themselves. But if the password reset procedure is not implemented properly, it opens up opportunities for attack by cybercriminals. Privacy regulators offer tips on what to look for.
Password problems, especially in the home office
Who doesn’t know it? The password for a rarely used service just won’t come to mind. After a few unsuccessful attempts to log in, it becomes clear that you have to reset your password.
Forgetting passwords is a problem that IT users and IT administrators have had to deal with since the dawn of IT security, because we humans are forgetful, especially when, as is usually required, you have to choose a separate password for each service and password are supposed to be complex.
Writing down passwords and storing them in an unprotected password list is not a solution to forgetting, on the contrary, they mean a high risk for password security.
That’s why procedures are important for what users should do if they forget a password again, i.e., a procedure for resetting and reissuing a password.
Unfortunately, it happens very often that passwords have to be reset, so IT administration or the help desk in the company spends a lot of working time on this. To relieve IT support, many companies now use a self-service for resetting.
Especially in times of home office and remote work, such procedures are an advantage in several ways, if they are implemented correctly. For example, help desk staff are relieved and employees in the home office do not have to wait until they can be helped, which would reduce productivity.
So there are good reasons to look into password reset procedures.
Resetting as a possible attack method
Unfortunately, many mistakes are made in self-service password reset procedures. For example, the security questions used to verify user identity during the password reset are often too simple and, in this age of social media, can be easily answered by third parties.
Without secure control of the user identity, however, hackers can abuse the password reset procedures and assign themselves a password to then penetrate the systems.
Data protection experts such as the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg therefore even recommend: “Many services ask you for personal information for security questions, such as the name of your first pet, your mother’s date of birth or similar. The correct answers to such questions are often easy for attackers to find out from your environment or, in particular, from public figures. If a service forces you to use such security questions: Lie! It’s a good idea to provide random information, as with passwords, and store it in the password safe.”
Data privacy advocates call for better password reset procedures
Password resets can become a security leak and result in data breaches if the process is not properly implemented. That’s why privacy regulators have produced recommendations on how password resets should be implemented:
Password reset procedures that are resistant to unauthorized access attempts and social engineering should be offered. Procedures that send a new password by e-mail are unsuitable. The state-of-the-art is password reset links where the link works only once and has only a short validity period (max. 1 hour). In particular, a second channel must be used for recovering e-mail accounts.
Additional security questions when triggering a password reset procedure provide greater security than sending a password reset link without further authentication, but cannot replace a second secure channel. If security questions are used, multiple questions should be used and user-generated questions should be possible in addition to predetermined questions. Incorrect entries in security questions must, like incorrect password entries, lead at least to temporary blocking.
The Specops uReset solution
Specops uReset solution from Specops Software allows remote users to reset their passwords without calling the helpdesk. uReset not only updates the password in Active Directory, but also in the computer’s locally cached credentials, preventing the account from being locked out. Password reset is performed directly from the Windows login screen.
Users can also reset their password via browser, cell phone, or directly from the Windows login screen, even without being connected to the corporate network. Specops uReset ensures a high level of security for user identity verification through security features such as multifactor authentication and geo-blocking. For example, password resets can be prevented if this is to be done from a location where the user would not be.
Specops uReset does not rely on simple security questions to check user identity. Specops uReset allows users to verify their identity using a variety of identity providers including Duo Security, Okta Verify, MS Authenticator, or a biometric option. Using multiple identity services allows users to complete the password reset task even if an identity service is unavailable.
For example, if a user does not have their mobile device handy and thus authentication via biometrics is not possible, they can ask their supervisor to verify via Manager Identification.
Statistics and audit reports are available to IT administration to track usage and system messages. In addition, the user interface is available in different languages such as German, French, and Spanish, and the user dialog can be customized so that companies can also use their corporate design. Last but not least, Specops uReset supports Google re-CAPTCHA to prevent username tapping.
Password reset requests pose a major challenge to the helpdesk, not only because of the high effort involved but also in terms of security. It is necessary to distinguish legitimate requests from those of cybercriminals. Social engineering attacks on the helpdesk pose a major threat.
Specops Secure Service Desk enables organizations to ensure secure user verification by the service desk staff. This will be looked at in more detail in the next part of this series. If you want to take a look now, you can find the solution here: